From 7a5a402b56513cc3ce8c4f8ae3307b43bacc06b6 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 7 Dec 2017 08:30:01 +0100
Subject: [PATCH 1/1] honor disabled flag on group rules again

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/Firewall.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c858b85..2feac54 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2417,6 +2417,7 @@ sub generate_group_rules {
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'in';
+	next if !$rule->{enable} || $rule->{errors};
 	next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
 	rule_substitude_action($rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
 	ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf);
@@ -2429,6 +2430,7 @@ sub generate_group_rules {
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'out';
+	next if !$rule->{enable} || $rule->{errors};
 	next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
 	# we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
 	# check also other tap rules later
-- 
2.39.2